warzonerat | 33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

Analysis

max time kernel
153s
max time network
156s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9e4fdb4_by_Libranalysis.exe
Size

1.8MB
MD5

b9e4fdb4f1d1e50fb2b1bc6f8e648e91
SHA1

afe3e9370a5fb240ae917a9089fc07b6a54a7bd6
SHA256

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5
SHA512

ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
792	explorer.exe
1888	explorer.exe
1548	spoolsv.exe
1148	spoolsv.exe
964	spoolsv.exe
336	spoolsv.exe
1676	spoolsv.exe
1316	spoolsv.exe
1688	spoolsv.exe
2020	spoolsv.exe
1368	spoolsv.exe
1132	spoolsv.exe
1864	spoolsv.exe
1700	spoolsv.exe
316	spoolsv.exe
1608	spoolsv.exe
1792	spoolsv.exe
848	spoolsv.exe
1716	spoolsv.exe
1640	spoolsv.exe
380	spoolsv.exe
288	spoolsv.exe
1396	spoolsv.exe
1288	spoolsv.exe
1376	spoolsv.exe
1012	spoolsv.exe
1796	spoolsv.exe
1284	spoolsv.exe
956	spoolsv.exe
916	spoolsv.exe
940	spoolsv.exe
2028	spoolsv.exe
1360	spoolsv.exe
1988	spoolsv.exe
1328	spoolsv.exe
1760	spoolsv.exe
1064	spoolsv.exe
788	spoolsv.exe
1352	spoolsv.exe
760	spoolsv.exe
1652	spoolsv.exe
1648	spoolsv.exe
1668	spoolsv.exe
548	spoolsv.exe
432	spoolsv.exe
1624	spoolsv.exe
1836	spoolsv.exe
1692	spoolsv.exe
856	spoolsv.exe
2012	spoolsv.exe
1280	spoolsv.exe
1748	spoolsv.exe
872	spoolsv.exe
1708	spoolsv.exe
1320	spoolsv.exe
1848	spoolsv.exe
1644	spoolsv.exe
1476	spoolsv.exe
1140	spoolsv.exe
1032	spoolsv.exe
1596	spoolsv.exe
1992	spoolsv.exe
1904	spoolsv.exe
816	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exe

pid	process
1708	b9e4fdb4_by_Libranalysis.exe
1708	b9e4fdb4_by_Libranalysis.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb9e4fdb4_by_Libranalysis.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	b9e4fdb4_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 57 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1816 set thread context of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 set thread context of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 792 set thread context of 1888	792	explorer.exe	explorer.exe
PID 792 set thread context of 1812	792	explorer.exe	diskperf.exe
PID 1548 set thread context of 3384	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 3392	1548	spoolsv.exe	diskperf.exe
PID 1148 set thread context of 3440	1148	spoolsv.exe	spoolsv.exe
PID 1148 set thread context of 3448	1148	spoolsv.exe	diskperf.exe
PID 964 set thread context of 3472	964	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 3480	964	spoolsv.exe	diskperf.exe
PID 336 set thread context of 3508	336	spoolsv.exe	spoolsv.exe
PID 336 set thread context of 3516	336	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 3544	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 3552	1676	spoolsv.exe	diskperf.exe
PID 1316 set thread context of 3580	1316	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 3588	1316	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3608	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3616	1688	spoolsv.exe	diskperf.exe
PID 2020 set thread context of 3644	2020	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 3652	2020	spoolsv.exe	diskperf.exe
PID 1368 set thread context of 3680	1368	spoolsv.exe	spoolsv.exe
PID 1368 set thread context of 3688	1368	spoolsv.exe	diskperf.exe
PID 1132 set thread context of 3716	1132	spoolsv.exe	spoolsv.exe
PID 1132 set thread context of 3724	1132	spoolsv.exe	diskperf.exe
PID 1864 set thread context of 3752	1864	spoolsv.exe	spoolsv.exe
PID 1864 set thread context of 3772	1864	spoolsv.exe	diskperf.exe
PID 1700 set thread context of 3792	1700	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 3800	1700	spoolsv.exe	diskperf.exe
PID 316 set thread context of 3820	316	spoolsv.exe	spoolsv.exe
PID 316 set thread context of 3828	316	spoolsv.exe	diskperf.exe
PID 1608 set thread context of 3856	1608	spoolsv.exe	spoolsv.exe
PID 1608 set thread context of 3864	1608	spoolsv.exe	diskperf.exe
PID 1792 set thread context of 3888	1792	spoolsv.exe	spoolsv.exe
PID 1792 set thread context of 3896	1792	spoolsv.exe	diskperf.exe
PID 848 set thread context of 3924	848	spoolsv.exe	spoolsv.exe
PID 848 set thread context of 3932	848	spoolsv.exe	diskperf.exe
PID 1716 set thread context of 3960	1716	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 3968	1716	spoolsv.exe	diskperf.exe
PID 1640 set thread context of 3992	1640	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 4000	1640	spoolsv.exe	diskperf.exe
PID 288 set thread context of 4028	288	spoolsv.exe	spoolsv.exe
PID 288 set thread context of 4048	288	spoolsv.exe	diskperf.exe
PID 380 set thread context of 4020	380	spoolsv.exe	spoolsv.exe
PID 380 set thread context of 4056	380	spoolsv.exe	diskperf.exe
PID 1396 set thread context of 4064	1396	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 4072	1396	spoolsv.exe	diskperf.exe
PID 1288 set thread context of 4080	1288	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 1580	1288	spoolsv.exe	diskperf.exe
PID 1376 set thread context of 1704	1376	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 3416	1012	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 3412	1376	spoolsv.exe	diskperf.exe
PID 1012 set thread context of 752	1012	spoolsv.exe	diskperf.exe
PID 1796 set thread context of 3476	1796	spoolsv.exe	spoolsv.exe
PID 1796 set thread context of 3492	1796	spoolsv.exe	diskperf.exe
PID 1284 set thread context of 3524	1284	spoolsv.exe	spoolsv.exe
PID 1284 set thread context of 3568	1284	spoolsv.exe	diskperf.exe
PID 916 set thread context of 1040	916	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exeb9e4fdb4_by_Libranalysis.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b9e4fdb4_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exe

pid	process
1708	b9e4fdb4_by_Libranalysis.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1888 explorer.exe

pid	process
1888	explorer.exe

Suspicious use of SetWindowsHookEx 59 IoCs

Processes:

pid	process
1708	b9e4fdb4_by_Libranalysis.exe
1708	b9e4fdb4_by_Libranalysis.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
1888	explorer.exe
3384	spoolsv.exe
3384	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
3472	spoolsv.exe
3472	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
3680	spoolsv.exe
3680	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3792	spoolsv.exe
3792	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
4064	spoolsv.exe
4064	spoolsv.exe
4080	spoolsv.exe
4080	spoolsv.exe
1704	spoolsv.exe
3416	spoolsv.exe
1704	spoolsv.exe
3416	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
3524	spoolsv.exe
3524	spoolsv.exe
1040	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeb9e4fdb4_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1708	1816	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1816 wrote to memory of 1672	1816	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 1708 wrote to memory of 792	1708	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 1708 wrote to memory of 792	1708	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 1708 wrote to memory of 792	1708	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 1708 wrote to memory of 792	1708	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1888	792	explorer.exe	explorer.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 792 wrote to memory of 1812	792	explorer.exe	diskperf.exe
PID 1888 wrote to memory of 1548	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1548	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1548	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1548	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1148	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1148	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1148	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1148	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 964	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 964	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 964	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 964	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 336	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 336	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 336	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 336	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1676	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1676	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1676	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1676	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1316	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1316	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1316	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1316	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1688	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1688	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1688	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 1688	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 2020	1888	explorer.exe	spoolsv.exe
PID 1888 wrote to memory of 2020	1888	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3792

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
b9e4fdb4f1d1e50fb2b1bc6f8e648e91

SHA1
afe3e9370a5fb240ae917a9089fc07b6a54a7bd6

SHA256
33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

SHA512
ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
C:\Windows\system\explorer.exe

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
C:\Windows\system\explorer.exe

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
C:\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\??\c:\windows\system\explorer.exe

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
\Windows\system\explorer.exe

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
\Windows\system\explorer.exe

MD5
2cc0b6a1cd76c3247fafc3bac0b05903

SHA1
a660b91b15c9095903f74be1d898686c455439dd

SHA256
00b6abde5a4976d046cef84ea1433553a6c6b5a02b10d22a972596f35675a10f

SHA512
a910db71a69c58b6c8e45ce85cdba0c984c22fac343e240033b5284d984ecfc31fb37837cff858cfa7306d07354c276a40f869d77c1982fbc54120da29d595ea

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
\Windows\system\spoolsv.exe

MD5
6490f39886535f8900d096cb0770c800

SHA1
95c8253acc0bf362ba373e1152103175a4f86f05

SHA256
b1ca2ecb872475b1b119ead161033424bf1287ac9b57cb942a3a4fc0d0568933

SHA512
2b811cea7e81e1f73ffa5ffe1f0dc0e52637086a079fcb0d87bb3888ed383c8bf630cd70023705239f8e631e85f9aa8747e86ab1325dcea989648a70389909df

Download Submit
memory/288-207-0x0000000000000000-mapping.dmp

Download
memory/316-176-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/316-167-0x0000000000000000-mapping.dmp

Download
memory/336-122-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/336-114-0x0000000000000000-mapping.dmp

Download
memory/380-203-0x0000000000000000-mapping.dmp

Download
memory/432-291-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/432-276-0x0000000000000000-mapping.dmp

Download
memory/548-274-0x0000000000000000-mapping.dmp

Download
memory/760-258-0x0000000000000000-mapping.dmp

Download
memory/788-268-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/788-254-0x0000000000000000-mapping.dmp

Download
memory/792-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/792-75-0x0000000000000000-mapping.dmp

Download
memory/848-185-0x0000000000000000-mapping.dmp

Download
memory/848-192-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-284-0x0000000000000000-mapping.dmp

Download
memory/872-306-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/872-298-0x0000000000000000-mapping.dmp

Download
memory/916-244-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/916-230-0x0000000000000000-mapping.dmp

Download
memory/940-232-0x0000000000000000-mapping.dmp

Download
memory/940-246-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/956-228-0x0000000000000000-mapping.dmp

Download
memory/956-243-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/964-106-0x0000000000000000-mapping.dmp

Download
memory/964-110-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1012-224-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1012-215-0x0000000000000000-mapping.dmp

Download
memory/1032-313-0x0000000000000000-mapping.dmp

Download
memory/1064-252-0x0000000000000000-mapping.dmp

Download
memory/1132-162-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1132-149-0x0000000000000000-mapping.dmp

Download
memory/1140-310-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1140-305-0x0000000000000000-mapping.dmp

Download
memory/1148-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-101-0x0000000000000000-mapping.dmp

Download
memory/1280-288-0x0000000000000000-mapping.dmp

Download
memory/1280-290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1284-226-0x0000000000000000-mapping.dmp

Download
memory/1284-241-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1288-211-0x0000000000000000-mapping.dmp

Download
memory/1316-134-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1316-126-0x0000000000000000-mapping.dmp

Download
memory/1320-308-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1320-300-0x0000000000000000-mapping.dmp

Download
memory/1328-240-0x0000000000000000-mapping.dmp

Download
memory/1328-245-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1352-256-0x0000000000000000-mapping.dmp

Download
memory/1360-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1360-236-0x0000000000000000-mapping.dmp

Download
memory/1368-150-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1368-143-0x0000000000000000-mapping.dmp

Download
memory/1376-213-0x0000000000000000-mapping.dmp

Download
memory/1376-223-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1396-209-0x0000000000000000-mapping.dmp

Download
memory/1476-312-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1476-303-0x0000000000000000-mapping.dmp

Download
memory/1548-96-0x0000000000000000-mapping.dmp

Download
memory/1548-109-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-314-0x0000000000000000-mapping.dmp

Download
memory/1608-172-0x0000000000000000-mapping.dmp

Download
memory/1608-177-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1624-278-0x0000000000000000-mapping.dmp

Download
memory/1640-197-0x0000000000000000-mapping.dmp

Download
memory/1640-204-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1644-302-0x0000000000000000-mapping.dmp

Download
memory/1648-262-0x0000000000000000-mapping.dmp

Download
memory/1648-273-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1652-272-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1652-260-0x0000000000000000-mapping.dmp

Download
memory/1668-269-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-264-0x0000000000000000-mapping.dmp

Download
memory/1672-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-66-0x0000000000411000-mapping.dmp

Download
memory/1672-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-119-0x0000000000000000-mapping.dmp

Download
memory/1676-123-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1688-131-0x0000000000000000-mapping.dmp

Download
memory/1688-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1692-282-0x0000000000000000-mapping.dmp

Download
memory/1700-175-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1700-160-0x0000000000000000-mapping.dmp

Download
memory/1708-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-299-0x0000000000000000-mapping.dmp

Download
memory/1708-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-63-0x0000000000403670-mapping.dmp

Download
memory/1716-191-0x0000000000000000-mapping.dmp

Download
memory/1716-201-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1748-297-0x0000000000000000-mapping.dmp

Download
memory/1760-250-0x0000000000000000-mapping.dmp

Download
memory/1760-265-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1792-180-0x0000000000000000-mapping.dmp

Download
memory/1792-188-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1796-218-0x0000000000000000-mapping.dmp

Download
memory/1796-225-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1812-86-0x0000000000411000-mapping.dmp

Download
memory/1816-60-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1816-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1836-280-0x0000000000000000-mapping.dmp

Download
memory/1836-293-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1848-309-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1848-301-0x0000000000000000-mapping.dmp

Download
memory/1864-164-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1864-155-0x0000000000000000-mapping.dmp

Download
memory/1888-81-0x0000000000403670-mapping.dmp

Download
memory/1988-238-0x0000000000000000-mapping.dmp

Download
memory/2012-286-0x0000000000000000-mapping.dmp

Download
memory/2012-296-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2020-138-0x0000000000000000-mapping.dmp

Download
memory/2020-147-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2028-234-0x0000000000000000-mapping.dmp

Download
memory/2028-247-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download